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DETAILED ACTION 

1 . This written action is responding to the amendment dated 08/07/2006. 

2. Claims 1,13, 22, 24, 30, 33 and 39-40 have been amended while Claims 6, 14, 
18, 28, and 37 have been cancelled. 

3. Claims 1-5, 7-13, 15-17, 19-27, 29-36, and 38-45 have been submitted for 
examination. 

4. Claims 1-5, 7-9, 11-13, 15-17, 19-27, 29-36, and 38-45 have been examined and 
rejected. 

Priority 

5. The application has been filed under Title 35 U.S.C. 119(e), claiming priority to 
provisional application 60/265,519, filed on Jan. 31, 2001. 

6. The effective filing data for the subject matter defined in the pending claims in 
this application is Jan. 31 , 2001 . 



Claim Objection 

7. Claims 1 and 22 are objected to because of the following informalities: 

a. Claims 1 and 22 recite the limitation on "wherein the audit scan is broader 
scan than the discovery scan". The term, "broader", fails to appropriately 
set forth the limitation that the audit scan is a thorough scan than the 
discovery scan which applicant(s) regard as the invention. Appropriate 
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correction is suggested as follow: "wherein the audit scan is a detailed 
scan comparing to the discovery scan". 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. Claims 30, 32-35, and 38 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Proctor (U.S. Patent 6,530,024) and further in view of 

Gleichauf etal. (U.S. Patent 6,301,668), Kingsford et al. (U.S. Patent 6,574,737), 

and Yang (U.S. Patent 6,467,002). 

a. Referring to Claim 30: 

As per Claim 30, Proctor discloses a method for assessing the security 

of a network comprising the steps of: 

selecting an audit scan to perform on the network element, said 
selection based on the initial scan [i.e., Object audit 324 can include 
an identification of one or more objects 322 to which the audit 
pertains, a user or users 326 whose activities should be audited 
with respect to identified objects, and operations 328 performed or 
attempted on the identified object or objects (lines 56-61, Col 7). 
Registry key audit 334 can include an identification of a list 332 of 
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one or more registry keys to be audited, a user or user 336 whose 
activities should be audited, a user or user 336 whose activities 
should be audited with respect to identified files, and operations 
338 performed or attempted on the identified registry keys (lines 
63-67, Col. 7). One example implementation of creating an object 
audit is illustrated n FIG. 5 (lines 18-20, Col. 8), where the type of 
object audit is subjected to edition and modification. FIG. 6 is a 
diagram of a computer screen illustrating an example 
implementation of a registry key audit according to one 
embodiment of the invention. Registry key list window portion 604 
allows a selection of one or more registry keys for the system of 
interest. Add, edit and remove buttons 609 can be used to update 
and create the registry key list (lines 1-7, Col. 9)]; 
performing the selected audit scan on the network [i.e., The auditing 
performed can include monitoring the networked computing 
environment for the occurrence of the identified activities for the 
users or groups of users (lines 10-12, Col. 2)]. 
receiving data from the selected audit scan of the network element [i.e., 
Collection policies are policies that set forth the specific details on 
how or when the auditing information is to be collected (lines 29-30, 
Col. 9)]; and 
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computing a security score for the network element from the selected 
audit scan [i.e., In one embodiment, the detection policy is used to 
establish thresholds or limits which, when reached, trigger an 
alarm or other condition indicating that a security breach, 
attempted security breach, or other network security condition has 
occurred or is occurring (line 67, Col. 9 and lines 1-4, Col. 10). The 
security policy can include security settings or values, which 
define the security of the system. The security policy can define 
parameters such as, for example, minimum and maximum 
password age, minimum and maximum password length, password 
uniqueness, account lockout, reset account time frames, lockout 
durations, forced log outs, user log ons to change password, and 
other security policies (lines 12-18, Col. 10). The collected records 
are provided to the security system for analysis. This analysis is 
referred to as a security assessment 924. In a step 1052, the 
security assessment is performed based on the audited activities 
that have been recorded in event log files 908. The security 
assessment is performed in accordance with the detection policy 
or policies 916 established for the network, or for that user or 
workstation (lines 41-48, Col. 11); where the security value sets the 
threshold value, which is used in comparing with the security 
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assessment result (security score) to determine whether a breach 
occurs or will occur]. 

Proctor does not expressly disclose the remaining limitations of the 
claim. However, Gleichauf et al. disclose receiving an initial scan 
identifying a network element [i.e., Scan engine 22 can direct requests 
upon the network and assess responses to such request to 
discover network information (lines 52-54, Col. 5). Such network 
information could comprise the devices coupled to internal network 
10, the operating systems running on such devices and the 
services available on each device (lines 59-62, Col. 5)], and 
Kingsford et al. disclose by summing one or more vulnerabilities 
associated wit the network element [In the preferred embodiment, 
vulnerabilities are assigned a risk value on a scale of 1-100, with 1- 
33 being low risk, 34-66 being medium risk, and 67-100 being high 
risk. Each system's risk and/or collective risk profile for the 
penetration test can be displayed to the user on the user interface 
(lines 41-46, Col. 19)]. Yang further discloses assigning an asset value 
for the element, wherein the asset value indicates the relative 
importance of the element in the network [i.e., Specifically, in one 
embodiment, the present invention assigns an initial priority order 
to the plurality of devices such tat those devices have priorities 
which are distinct (lines 44-46, Col. 2). Thus, the present invention 
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is highly conducive for use with existing computer systems and/or 
networks (lines 4-6, Col. 10)]. Proctor and Gleichauf et aL, Kingsford 
et aL, and Yang are analogous art because they are from similar 
technology relating to the security and scanning process of the computer 
system. It would have been obvious to one of ordinary skill in the art at 
the time of invention was made to have a scanning system capable of 
providing different scope of scanning functions by combining the network 
scan from Gleichauf et al. with the object and registry scans from Proctor 
and the detailed vulnerabilities values disclosed in Kingsford associated 
with the security assessment from Proctor, and the priority value 
associated with the devices in the network environment from Yang since 
one would have been motivated to (1) have a security product function in 
an environment wherein the traffic exceeds their memory or processor 
capacity (lines 34-36, Col. 2 from Gleichauf et al.), (2) have information 
contained in the data record reveals a security vulnerability discovered 
by the module (lines 39-41, Col. 19 from Kingsford et al.), and (3) realize 
that an efficient mechanism for priority arbitration is much needed in 
such a shred-resource environment in order to optimize the performance 
of computer systems and networks (lines 43-46, Col. 1 from Yang). 
Therefore, it would have been obvious to modify Proctor with Gleichauf 
et al., Kingsford, and Yang to obtain the invention as specified in Claim 
30. 
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b. Referring to Claim 32: 

As per Claim 32, Proctor, Gleichauf et al., Kingsford et al., and Yang 
disclose the method of claim 30. In addition, Proctor discloses modifying 
the selected audit scan, said modification based on the data received 
from the selected audit scan [i.e., The collected records are provided 
to the security system for analysis. This analysis is referred to as a 
security assessment 924. In a step 1052, the security assessment 
is performed based on the audited activities that have been 
recorded in event log files 908 (lines 41-45, Col. 11). When security 
assessment 924 determines that an actual attempted or potential 
security breach has occurred or is occurring, one or more policy 
updates 928 are made to on or more of the audit policy 904, 
collection policy 912, and detection policy 916 (lines 49-53, Col. 
11)] 

c. Referring to Claim 33: 

As per Claim 33, Proctor, Gleichauf et al., Kingsford et al., and Yang 
disclose the method of claim 30. In addition, Gleichauf et al. disclose 
wherein the step of receiving an initial scan comprises: 
identifying an operating system and a service for the network element, 
and identifying at least one vulnerability associated with the network 
element [i.e., Scan engine 22 can direct requests upon the network 
and assess responses to such requests to discover network 
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information (lines 52-54, Col. 5). Such network information could 
comprise the devices coupled to internal network 10, the operating 
systems running on such devices, and the services available on 
each device. Additionally, in the embodiment of FIG.1, scan engine 
22 is operable to analyze the network information to identify 
potential vulnerabilities of internal network 10, and confirm these 
potential vulnerabilities (lines 59-65, Col. 5)]. 

d. Referring to Claim 34: 

As per Claim 34, it encompasses limitations that are similar to those of 
Claim 30. Thus, it is rejected with the same rationale applied against 
Claim 30 above. 

e. Referring to Claim 35: 

As per Claim 35, Proctor, Gleichauf et al., Kingsford et al., and Yang 
disclose the method of claim 30, wherein the step of selecting an audit 
scan is based on a manual input [i.e., One example implementation of 
creating an object audit is illustrated n FIG. 5 (lines 18-20, Col. 8 
from Proctor), where the type of object audit is subjected to edition 
and modification. FIG. 6 is a diagram of a computer screen 
illustrating an example implementation of a registry key audit 
according to one embodiment of the invention. Registry key list 
window portion 604 allows a selection of one or more registry keys 
for the system of interest. Add, edit and remove buttons 609 can 
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be used to update and create the registry key list (lines 1-7, Col. 9 
from Proctor)]. 

f. Referring to Claim 38: 

As per Claim 38, Proctor, Gleichauf et al., Kingsford et al., and Yang 
disclose the steps recited in claim 30. In addition, Proctor discloses a 
computer-readable medium having computer-executable instructions 
[i.e., FIG. 15 is a block diagram illustrating a general purpose 
computer system, including examples of computer readable media 
for providing computer software or instructions to perform the 
functionality described herein (lines 11-14, Col. 17)]. 

9. Claim 31 is rejected under 35 U.S.C. 103(a) as being unpatentable over Proctor 
(U.S. Patent 6,530,024), Gleichauf et al. (U.S. Patent 6,301,668), and Kingsford 
et al. (U.S. Patent 6,574,737), and Yang (U.S. Patent 6,467,002) as applied to 
claim 30 above, and further in view of Hartley et al. (U.S. Patent 6,889,168). 
a. Referring to Claim 31: 

As per Claim 31, Proctor, Gleichauf et al., Kingsford et al., and Yang 
disclose the method of claim 30. Proctor, Gleichauf et al., Kingsford et 
al., and Yang do not expressly disclose the step of scheduling the 
selected audit scan, said scheduling based on the initial scan. However, 
Hartley et al. disclose the scheduling module which is used for specifying 
the time of conducting security modules or all the test [i.e., The 
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schedule module 32 provides the functionality to run security 
checks at predetermined intervals. Checks can be scheduled to 
run at specific designated times as well as at regular intervals such 
as monthly or weekly. The schedule module further provides the 
flexibility to run individual security modules or all tests (lines 9-14, 
Col. 7). A variety of further screens may be presented which 
provide the system user the choices of one or more modules 
scheduled, the data which the function will be performed. Further 
options may be provided such as periodic activation of the 
functions, one time activations of the functions, or the combination 
of various security and utility modules (lines31-38, Col. 10)]. 
Proctor, Gleichauf et al., Kingsford et al., Yang and Hartley et al. are 
analogous art because they are from similar technology relating to the 
security and scanning process of the computer system. It would have 
been obvious to one of ordinary skill in the art at the time of invention 
was made to combine Proctor, Gleichauf et al., Kingsford et al. and Yang 
with Hartley et al. to have the initial scan scheduled prior to the audit 
scan since one would be motivated to protect the information stored on 
server from unauthorized access (lines 49-50, Col. 1, Hartley et al.). 
Therefore, it would have been obvious to modify Proctor, Gleichauf et 
al., Kingsford et al. and Yang with Hartley et al. to obtain the invention as 
specified in Claim 31. 
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10. Claims 1-2, 4-5, 7-9, 11-13, 15, 17, 20-26, 29, 39-40, 42-45 are rejected under 
35 U.S.C. 103(a) as being unpatentable over Proctor (U.S. Patent 6,530,024) 
and further in view of Gleichauf et al. (U.S. Patent 6,301,668), Kingsford et al. 
(U.S. Patent 6,574,737), Hartley et al. (U.S. Patent 6,889,168), and Yang (U.S. 
Patent 6,467,002). 

a. Referring to Claim 1: 

As per Claim 1, Proctor discloses a computer-implemented method for 
configuring a security audit of a computer network [i.e., a networked 
computing environment (line 67, Col. 4)] comprising the steps of: 
configuring an audit scan to perform on the element, wherein the audit 
scan is a broader scan than the element [i.e., Object audit 324 can 
include an identification of one or more objects 322 to which the 
audit pertains, a user or users 326 whose activities should be 
audited with respect to identified objects, and operations 328 
performed or attempted on the identified object or objects (lines 56- 
61, Col 7). Registry key audit 334 can include an identification of a 
list 332 of one or more registry keys to be audited, a user or user 
336 whose activities should be audited, a user or user 336 whose 
activities should be audited with respect to identified files, and 
operations 338 performed or attempted on the identified registry 
keys (lines 63-67, Col. 7). One example implementation of creating 
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an object audit is illustrated in FIG. 5 (lines 18-20, Col. 8), where the 
type of object audit is subjected to edition and modification. FIG. 6 
is a diagram of a computer screen illustrating an example 
implementation of a registry key audit according to one 
embodiment of the invention. Registry key list window portion 604 
allows a selection of one or more registry keys for the system of 
interest. Add, edit and remove buttons 609 can be used to update 
and create the registry key list (lines 1-7, Col. 9)]; 
calculating a security score for the element based on the audit scan [i.e., 
In one embodiment, the detection policy is used to establish 
thresholds or limits which, when reached, trigger an alarm or other 
condition indicating that a security breach, attempted security 
breach, or other network security condition has occurred or is 
occurring (line 67, Col. 9 and lines 1-4, Col. 10). The security policy 
can include security settings or values, which define the security of 
the system. The security policy can define parameters such as, for 
example, minimum and maximum password age, minimum and 
maximum password length, password uniqueness, account 
lockout, reset account time frames, lockout durations, forced log 
outs, user log ons to change password, and other security policies 
(lines 12-18, Col. 10). The collected records are provided to the 
security system for analysis. This analysis is referred to as a 
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security assessment 924. In a step 1052, the security assessment 
is performed based on the audited activities that have been 
recorded in event log files 908. The security assessment is 
performed in accordance with the detection policy or policies 916 
established for the network, or for that user or workstation (lines 
41-48, Col. 11); where the security value sets the threshold value, 
which is used in comparing with the security assessment result 
(security score) to determine whether a breach occurs or will 
occur] 

Proctor discloses performing the audit scan on the element [i.e., The 
auditing performed can include monitoring the networked 
computing environment for the occurrence of the identified 
activities for the users or groups of users (lines 10-12, Col. 2)]. 
Proctor does not expressly disclose the remaining limitations of the 
claim. However, Gleichauf et al. disclose conducting a discovery scan to 
identify an element of the computer network and determine the 
element's functions [i.e., Scan engine 22 can direct requests upon 
the network and assess responses to such request to discover 
network information (lines 52-54, Col. 5). Such network information 
could comprise the devices coupled to internal network 10, the 
operating systems running on such devices and the services 
available on each device (lines 59-62, Col. 5)] and scanning process 
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can be repeated [i.e., At step 124 it is determined if the scanning 
steps should be repeated. If so, the method returns to step 100 to 
obtain updated network information, and the method is repeated 
(lines 12-14, Col. 9)]. In addition, Kingsford et al. disclose by summing 
one or more vulnerabilities associated wit the network element [In the 
preferred embodiment, vulnerabilities are assigned a risk value on 
a scale of 1-100, with 1-33 being low risk, 34-66 being medium risk, 
and 67-100 being high risk. Each system's risk and/or collective 
risk profile for the penetration test can be displayed to the user on 
the user interface (lines 41-46, Col. 19)], and Hartley et al disclose the 
scheduling module which is used for specifying the time of conducting 
security modules or all the test based on the choices [i.e., The schedule 
module 32 provides the functionality to run security checks at 
predetermined intervals. Checks can be scheduled to run at 
specific designated times as well as at regular intervals such as 
monthly or weekly. The schedule module further provides the 
flexibility to run individual security modules or all tests (lines 9-14, 
Col. 7). A variety of further screens may be presented which 
provide the system user the choices of one or more modules 
scheduled, the data which the function will be performed. Further 
options may be provided such as periodic activation of the 
functions, one time activations of the functions, or the combination 
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of various security and utility modules (lines31-38, Col. 10)]. Yang 
further discloses assigning an asset value for the element, wherein the 
asset value indicates the relative importance of the element in the 
network [i.e., Specifically, in one embodiment, the present invention 
assigns an initial priority order to the plurality of devices such tat 
those devices have priorities which are distinct (lines 44-46, Col. 2). 
Thus, the present invention is highly conducive for use with 
existing computer systems and/or networks (lines 4-6, Col. 10)]. 
Proctor, Gleichauf et al., Kingsford et al., Hartley et al., and Yang are 
analogous art because they are from similar technology relating to the 
security and scanning process of the computer system. It would have 
been obvious to one of ordinary skill in the art at the time of invention 
was made to combine Proctor with (1) Gleichauf et al. to have the 
different scope of scanning capability for the system, (2) Kingsford et al. 
to have the vulnerabilities values associated with the security 
assessment result, such as the security score, (3) Hartley et al. to have 
scheduling a time to perform the audit scan on the element, scheduling 
another time to repeat the audit scan on the element, the scheduling 
based on the results of the audit scan and security assessment result, 
such as the security score, and (4) Yang to have the priority value 
associated with the devices in the network environment. The motivation 
for doing so would be to have a security product to (1) function in an 
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environment wherein the traffic exceeds their memory or processor 
capacity (lines, 34-36, Col. 2, Gleichauf et al.), (2) have information 
contained in the data record reveals a security vulnerability discovered 
by the module (lines 39-41, Col. 19 from Kingsford et al.), (3) protect the 
information stored on server from unauthorized access (lines 49-50, Col. 
1, Hartley et al.), and (4) realize that an efficient mechanism for priority 
arbitration is much needed in such a shred-resource environment in 
order to optimize the performance of computer systems and networks 
(lines 43-46, Col. 1 from Yang). Therefore, it would have been obvious 
to modify Proctor with Gleichauf et al., Kingsford et al., Hartley et al., and 
Yang to obtain the invention as specified in Claim 1. 
b. Referring to Claim 2: 

As per Claim 2, Proctor, Gleichauf et al., Kingsford et al., Hartley et al., 
and Yang disclose the method of claim 1. In addition, Proctor discloses 
the step of configuring a subsequent audit scan of the element that is 
different from the audit scan [i.e., One example implementation of 
creating an object audit is illustrated in FIG. 5 (lines 18-20, Col. 8), 
where the type of object audit can be subjected to variety of edition 
and modification. FIG. 6 is a diagram of a computer screen 
illustrating an example implementation of a registry key audit 
according to one embodiment of the invention. Registry key list 
window portion 604 allows a selection of one or more registry keys 
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for the system of interest. Add, edit and remove buttons 609 can 
be used to update and create the registry key list (lines 1-7, Col. 9)]. 

c. Referring to Claim 4: 

As per Claim 4, the rejection of Claim 1 is incorporated. In addition, 
Claim 4 encompasses the same limitations that are similar to those of 
Claim 1. Thus, it is rejected with the same rationale applied against 
Claim 1 above. 

d. Referring to Claim 5: 

As per Claim 5, Proctor, Gleichauf et al., Kingsford et al., Hartley et al., 
and Yang disclose the method of claim 1. In addition, Gleichauf et al. 
disclose wherein the step of conducting a discovery scan further 
comprises identifying the one or more vulnerabilities associated with the 
element [i.e., In step 108, the potential vulnerabilities discovered in 
step 106 are confirmed, for example by executing active exploits on 
the network against the potential vulnerabilities (lines 15-18, Col. 
8)]. 

e. Referring to Claim 7: 

As per Claim 7, Proctor, Gleichauf et al., Kingsford et al., Hartley et al., 
and Yang disclose the method of claim 6. In addition, Yang discloses 
the priorities associated with the devices are subjected to modification 
[i.e., Referring again to FIG 2A, in step 250, the priorities are 
reassigned among the devices (lines 48-49, Col. 6)]. 
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f. Referring to Claim 8: 

As per Claim 8, Proctor and Gleichauf et al., Kingsford et al., Hartley et 
al., and Yang disclose the method of claim 1. In addition, Yang 
discloses that the priority value for the network element can be user- 
selected [I.e., It is further appreciated that the initial priority order 
can be user designated (Iines15-17, Col. 6)]. 

g. Referring to Claim 9: 

As per Claim 9, Proctor, Gleichauf et al., Kingsford et al., Hartley et al., 
and Yang disclose the method of claim 1. Proctor, Gleichauf et al., 
Kingsford et al., and Hartley et al. do not expressly disclose wherein the 
step of configuring an audit scan comprises selecting a type of audit 
scan based on the discovery scan. However, Proctor discloses 
configuring an audit scan as in Claim 1. In addition, Gleichauf et al. 
disclose the discovery scan as in Claim 1. Proctor, Gleichauf et al., and 
Hartley et al. are analogous art because they are from similar technology 
relating to the security and scanning process of the computer system. It 
would have been obvious to one of ordinary skill in the art at the time of 
invention was made to combine Proctor with Gleichauf et al. to have an 
audit scan process selected based on the prior discovery scan since one 
would have been motivated to have a increased security measure as 
users became more sophisticated (lines 36 and 43, Col 1). 
Therefore, it would have been obvious to modify Proctor with Gleichauf 
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et al., Kingsford et al., and Hartley et al. to obtain the invention as 
specified in Claim 9. 

h. Referring to Claim 11: 

As per Claim 1 1 , Proctor, Gleichauf et al., Kingsford et al., Hartley et al., 
and Yang disclose the method of claim 1 . In addition, Proctor discloses 
wherein the step of configuring an audit scan comprises manually 
selecting the type of audit scan [i.e., One example implementation of 
creating an object audit is illustrated n FIG. 5 (lines 18-20, Col. 8), 
where the type of object audit can be subjected to variety of edition 
and modification. Although the functionality is not illustrated on 
the screen diagram of FIG. 5, the functionality can be provided in 
one embodiment to allow the administrator to create and edit 
custom groups (lines 50-53, Col. 8). FIG. 6 is a diagram of a 
computer screen illustrating an example implementation of a 
registry key audit according to one embodiment of the invention. 
Registry key list window portion 604 allows a selection of one or 
more registry keys for the system of interest. Add, edit and remove 
buttons 609 can be used to update and create the registry key list 
(lines 1-7, Col. 9). Additionally, the administrator can select 
whether to replace auditing on existing sub keys as illustrated by 
selection box 614 (lines 16-18, Col 9)]. 

i. Referring to Claim 12: 
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As per Claim 12 Proctor, Gleichauf et al., Kingsford et al., Hartley et al., 
and Yang disclose the steps recited in claim 1. In addition, Proctor 
discloses a computer-readable medium having computer-executable 
instructions [i.e., FIG. 15 is a block diagram illustrating a general 
purpose computer system, including examples of computer 
readable media for providing computer software or instructions to 
perform the functionality described herein (lines 11-14, Col. 17)]. 

j. Referring to Claim 13: 

As per Claim 13, it encompasses limitations that are similar to those of 
Claim 1. Thus, it is rejected with the same rationale applied against 
Claim 1 above. 

k. Referring to Claim 15: 

As per Claim 15, it encompasses limitations that are similar to those of 
Claim 1. Thus, it is rejected with the same rationale applied against 
Claim 1 above. 

I. Referring to Claim 17: 

As per Claim 17, the rejection of Claim 13 is incorporated. In addition, 
Claim 17 encompasses limitations that are similar to those of Claim 4 
and 5. Thus, it is rejected with the same rationale applied against Claim 
4 and 5 above. 

m. Referring to Claim 20: 
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As per Claim 20, the rejection of Claim 13 is incorporated. In addition, 
Claim 20 encompasses limitations that are similar to those of Claim 11. 
Thus, it is rejected with the same rationale applied against Claim 11 
above. 

n. Referring to Claim 21: 

As per Claim 21, Proctor, Gleichauf et al., Kingsford et al., Hartley et al., 
and Yang disclose the steps recited in claim 13. In addition, Proctor 
discloses a computer-readable medium having computer-executable 
instructions [i.e., FIG. 15 is a block diagram illustrating a general 
purpose computer system, including examples of computer 
readable media for providing computer software or instructions to 
perform the functionality described herein (lines 11-14, Col. 17)]. 

o. Referring to Claim 22: 

As per Claim 22, it encompasses limitations that are similar to those of 
Claim 1 and 30. Thus, it is rejected with the same rationale applied 
against Claim 1 and 30 above. 

p. Referring to Claim 23: 

As per Claim 23, the rejection of Claim 22 is incorporated. In addition, 
Claim 23 encompasses limitations that are similar to those of Claim 32. 
Thus, it is rejected with the same rationale applied against Claim 32 
above. 

q. Referring to Claim 24: 
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As per Claim 24, the rejection of Claim 22 is incorporated. Gleichauf et 
al. further disclose identifying an operating system for the network 
element [i.e., Scan engine 22 can direct requests upon the network 
and assess responses to such requests to discover network 
information (lines 52-54, Col. 5). Such network information could 
comprise the devices coupled to internal network 10, the operating 
systems running on such devices (lines 59-61, Col. 5)]. In addition, 
Claim 24 encompasses limitations that are similar to those of Claim 4 
and 5. Thus, it is also rejected with the same rationale applied against 
Claim 4 and 5 above. 

r. Referring to Claim 25: 

As per Claim 25, it encompasses limitations that are similar to those of 
Claim 22. Thus, it is rejected with the same rationale applied against 
Claim 22 above. 

s. Referring to Claim 26: 

As per Claim 26, the rejection of Claim 22 is incorporated. In addition, 
Claim 26 encompasses limitations that are similar to those of Claim 35. 
Thus, it is rejected with the same rationale applied against Claim 35 
above. 

t. Referring to Claim 29: 

As per Claim 29, Proctor, Gleichauf et al., Kingsford et al., Hartley et al., 
and Yang disclose the steps recited in claim 22. In addition, Proctor 
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discloses a computer-readable medium having computer-executable 
instructions [i.e., FIG. 15 is a block diagram illustrating a general 
purpose computer system, including examples of computer 
readable media for providing computer software or instructions to 
perform the functionality described herein (lines 11-14, Col. 17)]. 
u. Referring to Claim 39: 

As per Claim 39, Proctor discloses a system for configuring [i.e., One 
example implementation of creating an object audit is illustrated n 
FIG. 5 (lines 18-20, Col. 8), where the type of object audit is 
subjected to edition and modification. FIG. 6 is a diagram of a 
computer screen illustrating an example implementation of a 
registry key audit according to one embodiment of the invention. 
Registry key list window portion 604 allows a selection of one or 
more registry keys for the system of interest. Add, edit and remove 
buttons 609 can be used to update and create the registry key list 
(lines 1-7, Col. 9)] a security audit of a computer network comprising the 
computer network [i.e., a computer network (line 3, Col. 5)]. Proctor 
further discloses a console operable for receiving and transmitting 
information about the audit scan [i.e., Security procedures can also be 
applied to security console 104B (lines 42-43, Col. 5). In one 
embodiment, the security procedures can include for example, one 
or more of security policies, collection policies, detection policies 
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and audit policies. The security console 104B can also perform the 
adaptive feedback operations, including updating the security 
procedures based on security occurrences (lines 45-47, Col. 5). 
The example embodiment illustrated in FIG. 3, the audit policy 300 
includes a system audit 304, and object audit 324, and a registry 
key audit 334 (lines 48-50, Col. 7)]. Proctor further discloses 
computing a security score for the network element from the selected 
audit scan [i.e., In one embodiment, the detection policy is used to 
establish thresholds or limits which, when reached, trigger an 
alarm or other condition indicating that a security breach, 
attempted security breach, or other network security condition has 
occurred or is occurring (line 67, Col. 9 and lines 1-4, Col. 10). The 
security policy can include security settings or values, which 
define the security of the system. The security policy can define 
parameters such as, for example, minimum and maximum 
password age, minimum and maximum password length, password 
uniqueness, account lockout, reset account time frames, lockout 
durations, forced log outs, user log ons to change password, and 
other security policies (lines 12-18, Col. 10). The collected records 
are provided to the security system for analysis. This analysis is 
referred to as a security assessment 924. In a step 1052, the 
security assessment is performed based on the audited activities 
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that have been recorded in event log files 908. The security 
assessment is performed in accordance with the detection policy 
or policies 916 established for the network, or for that user or 
workstation (lines 41-48, Col. 11); where the security value sets the 
threshold value, which is used in comparing with the security 
assessment result (security score) to determine whether a breach 
occurs or will occur]. Proctor does not expressly disclose a discovery 
scan and scheduling feature associated with different types of scans, 
However, Gleichauf et al. disclose a security audit system [i.e., network 
security system 20 (line 16, Col. 5)] operable for conducting a 
discovery scan to identify an element of the computer network [i.e., 
Scan engine 22 can direct requests upon the network and assess 
responses to such requests to discover network information (lines 
52-54, Col. 5)]. In addition, Kingsford et al. disclose by summing one or 
more vulnerabilities associated wit the network element [In the 
preferred embodiment, vulnerabilities are assigned a risk value on 
a scale of 1-100, with 1-33 being low risk, 34-66 being medium risk, 
and 67-100 being high risk. Each system's risk and/or collective 
risk profile for the penetration test can be displayed to the user on 
the user interface (lines 41-46, Col. 19)], and Hartley disclose the 
scheduling module which is used for specifying the time of conducting 
security modules or all the test [i.e., The schedule module 32 provides 
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the functionality to run security checks at predetermined intervals. 
Checks can be scheduled to run at specific designated times as 
well as at regular intervals such as monthly or weekly. The 
schedule module further provides the flexibility to run individual 
security modules or all tests (lines 9-14, Col. 7)]. Yang further 
discloses assigning an asset value for the element, wherein the asset 
value indicates the relative importance of the element in the network 
[i.e., Specifically, in one embodiment, the present invention assigns 
an initial priority order to the plurality of devices such tat those 
devices have priorities which are distinct (lines 44-46, Col. 2). 
Thus, the present invention is highly conducive for use with 
existing computer systems and/or networks (lines 4-6, Col. 10)]. 
Proctor, Gleichauf et al., Kingsford et al., Hartley et al., and Yang are 
analogous art because they are from similar technology relating to the 
security and scanning process of the computer system. It would have 
been obvious to one of ordinary skill in the art at the time of invention 
was made to combine Proctor with (1) Gleichauf et al. to have the 
different scope of scanning capability for the system, (2) Kingsford et al. 
to have the vulnerabilities values associated with the security 
assessment result, such as the security score, (3) Hartley et al. to have 
scheduling a time to perform the audit scan on the element, scheduling 
another time to repeat the audit scan on the element, the scheduling 
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based on the results of the audit scan and security assessment result, 
such as the security score, and (4) Yang to have the priority value 
associated with the devices in the network environment. The motivation 
for doing so would be to have a security product to (1) function in an 
environment wherein the traffic exceeds their memory or processor 
capacity (lines, 34-36, Col. 2, Gleichauf et al.), (2) have information 
contained in the data record reveals a security vulnerability discovered 
by the module (lines 39-41, Col. 19 from Kingsford et al.), (3) protect the 
information stored on server from unauthorized access (lines 49-50, Col. 
1, Hartley et al.), and (4) realize that an efficient mechanism for priority 
arbitration is much needed in such a shred-resource environment in 
order to optimize the performance of computer systems and networks 
(lines 43-46, Col. 1 from Yang). Therefore, it would have been obvious 
to modify Proctor with Gleichauf et al., Kingsford et al., Hartley et al., and 
Yang to obtain the invention as specified in Claim 39. 

v. Referring to Claim 40: 

As per Claim 40, the rejection of Claim 39 is incorporated. In addition, 
Claim 40 encompasses limitations that are similar to those of Claim 4 
and 5. Thus, it is also rejected with the same rationale applied against 
Claim 4 and 5 above. 

w. Referring to Claim 42: 
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As per Claim 42, Proctor, Gleichauf et aL, Kingsford et al., Hartley et al., 
and Yang disclose the system of claim 39. In addition, Gleichauf et aL 
disclose wherein the security audit system further comprises a system 
scanning engine operable for detecting particular one of the 
vulnerabilities on the network element [i.e., Additionally, in the 
embodiment of FIG. 1, scan engine 22 is operable to analyze the 
network information to identify potential vulnerabilities of internal 
network 10 (lines 62-65, Col. 15)]. 

x. Referring to Claim 43: 

As per Claim 43, Proctor, Gleichauf et al., Kingsford et al., Hartley et al., 
and Yang disclose the system of claim 39. In addition, Gleichauf et al. 
disclose wherein the security audit system further comprises an Internet 
scanning engine operable for performing a discovery scan on the 
network [i.e., Scan engine 22 can direct request upon the network 
and assess responses to such requests to discover network 
information. In one embodiment, scan engine 22 scans devices on 
internal network, such as workstations 12. For example, Scan 
engine 22 could ping devices on internal network 10 and then 
perform port scans on each device. Banners from the port scans 
could be collected and analyzed to discover network information 
(lines 52-59, Col. 5)]. 

y. Referring to Claim 44: 
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As per Claim 44, Proctor, Gleichauf et al., Kingsford et aL, Hartley et al., 
and Yang disclose the system of claim 39. In addition, Gleichauf et al. 
disclose the security audit system. Gleichauf et al. do not expressly 
disclose the remaining limitations of the claim. However, Hartley et al. 
disclose a database scanning engine operable for detecting 
vulnerabilities associated with database elements within the network 
[i.e., The integrity checker module 22 performs an analysis of the 
computer system in order to find security holes located therein. 
The analysis performed may find vulnerabilities in such things as: 
the type of computer/operating system used, the access privileges 
of files, the owner of the files, the group of the files, the date of the 
files, or a version number for a send mail program (lines 36-42, Col. 
5)]. Proctor, Gleichauf et al., Kingsford et al., and Hartley et al. are 
analogous art because they are from similar technology relating to the 
security and scanning process of the computer system. It would have 
been obvious to one of ordinary skill in the art at the time of invention 
was made to combine Proctor with Gleichauf et al., Kingsford et al., and 
Hartley et al. to have scanning engine for analyzing the vulnerability 
relating to the software files since one would have been motivated to 
have a security product (1) function in an environment wherein the traffic 
exceeds their memory or processor capacity (lines, 34-36, Col. 2, 
Gleichauf et al.) (2) have information contained in the data record 
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reveals a security vulnerability discovered by the module (lines 39-41, 
Col. 19 from Kingsford et al.), and (3) to protect the information stored on 
server from unauthorized access (lines 49-50, Col. 1, Hartley et al.). 
Therefore, it would have been obvious to modify Proctor with Gleichauf 
et al., Kingsford et al., and Hartley et al. to obtain the invention as 
specified in Claim 44. 
z. Referring to Claim 45: 

As per Claim 45, Proctor, Gleichauf et al., Kingsford et al., Hartley et al., 
and Yang disclose the system of claim 39. Gleichauf et al. further 
disclose the security audit system and the discovery scan, Gleichauf et 
al. do not expressly disclose the remaining limitations of the claim. 
However, Proctor discloses the audit scan as in Claim 1. In addition, 
Hartley et al. disclose an active scan engine [i.e., The security system 
processing module 15 (Iine13-14, Col. 4)] operable for selecting, 
coordinating, and scheduling various scans to be performed on the 
computer network. Proctor, Gleichauf et al., Kingsford et al., and Hartley 
et al. are analogous art because they are from similar technology 
relating to the security and scanning process of the computer system. It 
would have been obvious to one of ordinary skill in the art at the time of 
invention was made to combine Proctor with Gleichauf et al. Kingsford et 
al., and Hartley et al. to have the active security system processing 
module managing the scanning processes from Proctor and Gleichauf et 
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al. since one would have been motivated to have a security product 
function in an environment wherein the traffic exceeds their memory or 
processor capacity (lines, 34-36, Col. 2, Gleichauf et al.) and to protect 
the information stored on server from unauthorized access (lines 49-50, 
Col. 1 , Hartley et al.). Therefore, it would have been obvious to modify 
Proctor with Gleichauf et al., Kingsford et al., and Hartley et al. to obtain 
the invention as specified in Claim 45. 

11. Claims 3, 16, 27, and 41 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Proctor (U.S. Patent 6,530,024), Gleichauf et al. (U.S. Patent 
6,301,668), Kingsford et al. (U.S. Patent 6,574,737), and Hartley et al. (U.S. 
Patent 6,889,168), and Yang (U.S. Patent 6,467,002) as applied to claims 1,13, 
22, and 39 above, and further in view of Brabson et al. (U.S. Patent 5,715,395). 
a. Referring to Claim 3: 

As per Claim 3, Proctor, Gleichauf et al., Kingsford et al., Hartley et al. 
and Yang disclose the method of claim 1. Proctor, Gleichauf et al., 
Kingsford et al., Hartley et al. and Yang do not explicitly disclose the step 
of receiving a blackout time during which no audit scan can be 
scheduled. However, Brabson et al. disclose that network can be 
scheduled to be unavailable due to the scheduled maintenance and 
appropriate method would be utilized to provide this information to the 
network node [i.e., a particular portion of a network was scheduled 
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to be unavailable for scheduled maintenance it would supply 
appropriate values for the UNAVAILABILITY PERIOD to the Network 
nodes. If the UNAVAILABILITY PERIOD information is stored in a 
table at the originating node the network manager could update the 
table as required (lines 23-28, Col. 11)]. Proctor, Gleichauf et ah, 
Kingsford et ah, Hartley et ah, Yang, and Barbson are analogous art 
because they are from similar technology relating to the network and 
computer system. It would have been obvious to one of ordinary skill in 
the art at the time of invention was made to combine Proctor, Gleichauf 
et ah, Kingsford et ah, Hartley et ah, and Yang, with Brabson et ah to 
have the schedule module providing time information regarding to 
scheduled scanning tasks and the blackout time due to network 
maintenance since one would have been motivated to reduce the 
impact of network resource location traffic when resources become 
unavailable, Unreachable, or unlocatable (lines 65-67, Col. 3). 
Therefore, it would have been obvious to modify Proctor, Gleichauf et 
ah, Kingsford et ah, Hartley et ah, and Yang with Brabson et ah to obtain 
the invention as specified in Claim 33. 
b. Referring to Claim 16: 

As per Claim 16, the rejection of Claim 13 is incorporated. In addition, 
Claim 16 encompasses limitations that are similar to those of Claim 3. 
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Thus, it is rejected with the same rationale applied against Claim 3 
above, 
c. Referring to Claim 27: 

As per Claim 27, Proctor, Gleichauf et al., Kingsford et al M Hartley et al. 
and Yang disclose the method of claim 22. Proctor, Gleichauf et al., 
Kingsford et al., Hartley et al. and Yang do not explicitly disclose the step 
of receiving a blackout time during which no audit scan can be 
scheduled. However, Brabson et al. disclose that network can be 
scheduled to be unavailable due to the scheduled maintenance and 
appropriate method would be utilized to provide this information to the 
network node for the network manager to be aware [i.e., Thus, if the 
network manager was aware that a particular portion of a network 
was scheduled to be unavailable for scheduled maintenance it 
would supply appropriate values for the UNAVAILABILITY PERIOD 
to the Network nodes. If the UNAVAILABILITY PERIOD information 
is stored in a table at the originating node the network manager 
could update the table as required (lines 22-28, Col. 11)]. Proctor, 
Gleichauf et al., Kingsford et aL, Hartley et al., Yang, and Barbson are 
analogous art because they are from similar technology relating to the 
network and computer system. It would have been obvious to one of 
ordinary skill in the art at the time of invention was made to combine 
Proctor, Gleichauf et al., Kingsford et al., Hartley et al., and Yang wtih 
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Brabson et al. to have the schedule module providing time information 
regarding to scheduled scanning tasks and the blackout time due to 
network maintenance since one would have been motivated to reduce 
the impact of network resource location traffic when resources 
become unavailable, unreachable, or unlocatable (lines 65-67, Col. 
3). Therefore, it would have been obvious to modify Proctor, Gleichauf 
et al., Kingsford et al., Hartley et aL, and Yang with Brabson et al. to 
obtain the invention as specified in Claim 27. 
d. Referring to Claim 41: 

As per Claim 41, the rejection of Claim 39 is incorporated. In addition, 
Claim 41 encompasses limitations that are similar to those of Claim 27. 
Thus, it is rejected with the same rationale applied against Claim 27 
above. 

12. Claim 36 is rejected under 35 U.S.C. 103(a) as being unpatentable over Proctor 
(U.S. Patent 6,530,024), Gleichauf et al. (U.S. Patent 6,301,668), Kingsford etal. 
(U.S. Patent 6,574,737), and Yang (U.S. Patent 6,467,002) as applied to claim 
30 above, and further in view of Hartley et al. (U.S. Patent 6,889,168) and 
Brabson et al. (U.S. Patent 5,715,395). 
a. Referring to Claim 36: 

As per Claim 36, the rejection of Claim 30 is incorporated. In addition, 
Claim 36 encompasses limitations that are similar to those of Claim 27. 
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Thus, it is rejected with the same rationale applied against Claim 27 
above. 

13. Claim 19 is rejected under 35 U.S.C. 103(a) as being unpatentable over Proctor 

(U.S. Patent 6,530,024), Gleichauf et al. (U.S. Patent 6,301 ,668), Kingsford et al. 

(U.S. Patent 6,574,737), Hartley et al. (U.S. Patent 6,889,168), and Yang (U.S. 

Patent 6,467,002) as applied to claims 1 and 13 above, and further in view of and 

Barroux (U.S. Patent 6,220,768). 
a. Referring to Claim 19: 

As per Claim 19, Proctor, Gleichauf et al., Kingsford et al., and Hartley et 
al. disclose the method of claim 1. Proctor, Gleichauf, Kingsford et al., 
and Hartley et al. do not expressly disclose remaining limitations of the 
claims. However, Gleichauf et al. disclose identifying the function of the 
network element based on the discovery scan [i.e., Scan engine 22 can 
direct request upon the network and assess responses to such 
requests to discover network information (lines 52-54, Col. 5). 
Such network information could comprise the devices coupled to 
internal network 10, the operating systems running on such 
devices, and services available on each device (lines 59-62, Col. 5)]. 
Proctor discloses a policy for auditing [i.e., Audit policy 300 (Fig. 3), 
which comprises of system audit, object audit, and registry key 
audit]. Yang discloses a priority assignment module for assigning 
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priority values to various devices in the network environment [i.e., 
Specifically, in one embodiment, the present invention assigns an 
initial priority order to the plurality of devices such tat those 
devices have priorities which are distinct (lines 44-46, Col. 2). 
Thus, the present invention is highly conducive for use with 
existing computer systems and/or networks (lines 4-6, Col. 10)]. 
Barroux discloses scheduling of tasks required for repetition [Integrated 
resource 200 also computes whether tasks need to be repeated and 
builds an interval schedule for tasks requiring repetition into its 
schedule (lines 36-38, Col. 4)]. Proctor, Gleichauf et al., Kingsford et 
al., Hartley et al., Yang, and Barroux are analogous art because they are 
from similar technology relating to the computer system in the network. 
It would have been obvious to one of ordinary skill in the art at the time 
of invention was made to modify Proctor, Gleichauf et al., Kingsford et 
aL, Hartley et al. with Yang and Barroux to have the priority values 
associated to the network elements converted into repetitively scheduled 
tasks and associated the results with the policy disclosed by Proctor and 
the role by Gleichauf et al. since one would have been motivated to 
realize that an efficient mechanism for priority arbitration is much needed 
in such a shred-resource environment in order to optimize the 
performance of computer systems and networks (lines 43-46, Col. 1, 
Yang) and to take advantage of SNMP (Simple Network Management 



Application/Control Number: 10/066,367 Page 38 

Art Unit: 2135 

Protocol) to collect survey information for a TCP/IP network (lines 10-12, 
Col. 2 from Barroux). Therefore, it would have been obvious to modify 
Proctor, Gleichauf et al., Kingsford et al., Hartley et al. with Yang and 
Barroux to obtain the invention as specified in Claim 19. 

Response to Arguments 

14. Applicant's remark, filed on Aug. 07, 2006, has Claims 1, 13, 22, 24, 30, 33 and 
39-40 amended. Among these amended claims, Claims 1,13, 22, 30, and 39 
are the independent claims that have been modified to include the limitation 
"assigning an asset value for the element, wherein the asset value indicates the 
relative importance of the element in the network". Please refer to rejections 
above. 

15. Applicant 's remark, filed on Aug. 07, 2006, argues that the combination of the 
cited prior art by Proctor, Hartley, Kingsford, Gleichauf, Yang, Brabson, and 
Barroux fails to disclose the limitations of Claim 1 . In particular, Applicant argues 
the following: (a) Proctor reference fails to teach calculating a security score for 
the element based on the audit scan by summing one or more vulnerabilities 
associated with the element, (b) Hartley and Gleichauf references, either alone or 
in combination, fail to teach scheduling another time to repeat the audit scan on 
the element, the scheduling based on the results of the audit scan and the 
security score, calculating a security score for the element based on the audit 
scan by summing one or more vulnerabilities associated with the element, and 
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assigning an asset value for the element, wherein the asset value indicates the 
relative importance of the element in the network, (c) Yang reference fails to 
teach conducting a discovery scan to identify an element of the computer 
network and determine the element's functions and assigning an asset value for 
the element, wherein the asset value indicates the relative importance of the 
element in the network, and (d) Kingsford reference fails to teach calculating a 
security score for the element based on the audit scan by summing one or more 
vulnerabilities associated with the element and teach conducting a discovery 
scan to identify an element of the computer network and determine the element's 
functions and assigning an asset value for the element, wherein the asset value 
indicates the relative importance of the element in the network. 

16. Applicant 's remark, filed on Aug. 07, 2006, further argues that the Brabson and 
Barroux references fail to teach or suggest at least the features as set forth in 
amended independent Claim 1. 

17. Applicant 's remark, filed on Aug. 07, 2006, further argues the above-mentioned 
references also fail to teach or suggest the at least the features as set forth in 
other amended independent claims for the same reasons as of Claim 1 . 

18. Applicant's remark has been considered, but found not persuasive based on the 
reasons below. 



Regarding to Argument (1): 
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Examiner disagrees with Applicant's argument on the rejection of Claim 1 from 
the Office Action on Mar. 07, 2006, according the information disclosed by the 
cited references in the followings: 

(a) Proctor discloses the limitations on configuring an audit scan to perform on 
the element and the audit scan (i.e., registry audit) is a more detailed scan than 
the discovery one [Object audit 324 can include an identification of one or 
more objects 322 to which the audit pertains, a user or users 326 whose 
activities should be audited with respect to identified objects, and 
operations 328 performed or attempted on the identified object or objects 
(lines 56*61, Col 7). Registry key audit 334 can include an identification of a 
list 332 of one or more registry keys to be audited, a user or user 336 
whose activities should be audited, a user or user 336 whose activities 
should be audited with respect to identified files, and operations 338 
performed or attempted on the identified registry keys (lines 63-67, Col. 7)], 
and calculating a security score for the element based on the audit scan as the 
values associated to the security assessment [The security policy can include 
security settings or values, which define the security of the system. The 
security policy can define parameters such as, for example, minimum and 
maximum password age, minimum and maximum password length, 
password uniqueness, account lockout, reset account time frames, lockout 
durations, forced log outs, user log ons to change password, and other 
security policies (lines 12-18, Col. 10). The collected records are provided 
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to the security system for analysis. This analysis is referred to as a 
security assessment 924. In a step 1052, the security assessment is 
performed based on the audited activities that have been recorded in event 
log files 908. The security assessment is performed in accordance with the 
detection policy or policies 916 established for the network, or for that user 
or workstation (lines 41-48, Col. 11)]; 

(b) Harley reference discloses the limitation about scheduling time to perform the 
scan on the element and repeating another scan based on the options (i.e., 
related to the security score and previous scan result, and etc) by having a 
scheduling module for specifying the time of conducting security modules or all 
the test based on the choices [The schedule module 32 provides the 
functionality to run security checks at predetermined intervals. Checks 
can be scheduled to run at specific designated times as well as at regular 
intervals such as monthly or weekly. The schedule module further 
provides the flexibility to run individual security modules or all tests (lines 
9-14, Col. 7). A variety of further screens may be presented which provide 
the system user the choices of one or more modules scheduled, the data 
which the function will be performed. Further options may be provided 
such as periodic activation of the functions, one time activations of the 
functions, or the combination of various security and utility modules 
(lines31-38, Col. 10)]. Gleichauf reference further discloses conducting a 
discovery scan to identify an element of the computer network and determine the 
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elements functions [i.e., Scan engine 22 can direct requests upon the 
network and assess responses to such request to discover network 
information (lines 52-54, Col. 5). Such network information could comprise 
the devices coupled to internal network 10, the operating systems running 
on such devices and the services available on each device (lines 59-62, 
Col. 5)] and repeating the scanning process [i.e., At step 124 it is determined if 
the scanning steps should be repeated. If so, the method returns to step 
100 to obtain updated network information, and the method is repeated 
(lines 12-14, Col. 9)]. 

(c) Yang reference discloses assigning an asset value for the element, wherein 
the asset value indicates the relative importance of the element in the network as 
assigning different priority order to each device in the network environment 
[Arbiter 101 determines the sequential order in which the requesting device 
is granted access to shared resource 199A based on a priority arbitration 
scheme (lines 40-42, Col. 4). Specifically, in one embodiment, the present 
invention assigns an initial priority order to the plurality of devices such tat 
those devices have priorities which are distinct (lines 44-46, Col. 2). Thus, 
the present invention is highly conducive for use with existing computer 
systems and/or networks (lines 4-6, Col. 10)]. Applicant argues that priority 
order disclosed in Yang reference is not based on the relative importance of the 
element in the network environment It is, however, noted that Applicant has not 
pointed out with respect to what criteria/standard the determination of the 
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"importance" of the element is based on (i.e., importance according to the 
network traffic/bandwidth, the network hierarchical level, the user role, and etc.). 
Therefore, based on the reasons above, the meaning of "relative importance of 
the element" in the claim language is believed to be already included in the term 
"priority order" by Yang, and still applicable to the rejection of the claim language, 
(d) Kingsford discloses the calculation of a security score by summing one or 
more vulnerabilities associated with the element as assigning risk values 
associated with the vulnerabilities [In the preferred embodiment, 
vulnerabilities are assigned a risk value on a scale of 1-100, with 1-33 being 
low risk, 34-66 being medium risk, and 67-100 being high risk. Each 
system's risk and/or collective risk profile for the penetration test can be 
displayed to the user on the user interface (lines 41-46, Col. 19)]. 
Because each of the references by Proctor, Gleichauf, Hartley, Kingsford, and 
Yang, respectively discloses one or more argued limitation(s) of Claim 1, it is 
believed that the combination of the above-mentioned references meets the 
scope of the claim limitations. Thus, contrary to Applicant's argument, the 
rejection of Claim 1 should be maintained based on the above reasons. 

Regarding to Argument (2): 

Brabson reference discloses the supplying blackout time (i.e. unavailable time) 
for the network during which time the network is under maintenance and nothing 
can be scheduled [a particular portion of a network was scheduled to be 
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unavailable for scheduled maintenance it would supply appropriate values 
for the UNAVAILABILITY PERIOD to the Network nodes. If the 
UNAVAILABILITY PERIOD information is stored in a table at the originating 
node the network manager could update the table as required (lines 23-28, 
Col. 11)], and Barroux references discloses the repeated process/task can be 
scheduled accordingly [Integrated resource 200 also computes whether 
tasks need to be repeated and builds an interval schedule for tasks 
requiring repetition into its schedule (lines 36-38, Col. 4)]. Since, the 
combination of the references by Proctor, Gleichauf, Hartley, Kingsford, and 
. Yang already disclose argued limitation(s) of Claim 1 as above, references by 
Brabson and Barroux are not required teach or suggest at least the features as 
set forth in Claim 1. 

Regarding to Argument (3): 

Because other independent claims are sharing similar limitations as claim 1, the 
combination of the references by Proctor, Gleichauf, Hartley, Kingsford, and 
Yang are sufficient to meet the argued limitation(s) of these claims. Please refer 
to argument (1) above. 

Applicant is reminded that additional modification to clarify the claimed limitation 
is necessary for further consideration and distinction from the prior art. 
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Allowable Subject Matter 

Claim 10 is objected to as being dependent upon a rejected base claim, but 
would be allowable if rewritten in independent form including all of the limitations 
of the base claim and any intervening claims. 

Conclusion 

19. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant 
is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed 
within TWO MONTHS of the mailing date of this final action and the advisory 
action is not mailed until after the end of the THREE-MONTH shortened statutory 
period, then the shortened statutory period will expire on the date the advisory 
action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will 
the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

a. Diep (U.S. Patent 6,370,648) discloses detecting harmful or illegal 
intrusions into a computer network or into restricted portions of a computer 
network uses statistical analysis to match user commands and program 
names with a template sequence. Discrete correlation matching and 
permutation matching are used to match sequences. The result of the 
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match is input to a feature builder and then a modeler to produce a score. 
The score indicates possible intrusion. A sequence of user commands 
and program names and a template sequence of known harmful 
commands and program names from a set of such templates are 
retrieved. A closeness factor indicative of the similarity between the user 
command sequence and a template sequence is derived from comparing 
the two sequences. The user command sequence is compared to each 
template sequence in the set of templates thereby creating multiple 
closeness or similarity measurements. These measurements are 
examined to determine which sequence template is most similar to the 
user command sequence. A frequency feature associated with the user 
command sequence and the most similar template sequence is 
calculated. It is determined whether the user command sequence is a 
potential intrusion into restricted portions of the computer network by 
examining output from a modeler using the frequency feature as one 
input. 

20. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Yin-Chen Shaw whose telephone number is 571- 
272-8593. The examiner can normally be reached on 8:15 to 4:15 M-F. If 
attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Yen Vu can be reached on 571-272-3859. The fax phone 
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number for the organization where this application or proceeding is assigned is 
703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR 
only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 
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